/**
 * File Created at 2018年2月5日
 * All rights reserved.
 */
package com.kakavr.auth.filter;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * xss封装请求
 * @author gang.yang
 */
public class XSSRequestWrapper extends HttpServletRequestWrapper {

	public XSSRequestWrapper(HttpServletRequest request) {
		super(request);
	}

	@Override
	public String[] getParameterValues(String parameter) {

		String[] values = super.getParameterValues(parameter);

		if (values == null) {

			return null;

		}

		int count = values.length;

		String[] encodedValues = new String[count];

		for (int i = 0; i < count; i++) {

			encodedValues[i] = stripXSS(values[i]);

		}

		return encodedValues;

	}

	@Override
	public String getParameter(String parameter) {

		String value = super.getParameter(parameter);
		if("true".equals(value)){
			value = "1";
		}
		if("false".equals(value)){
			value = "0";
		}

		return stripXSS(value);

	}

	@Override
	public String getHeader(String name) {

		String value = super.getHeader(name);

		return stripXSS(value);

	}

	private String stripXSS(String value) {

		if (value != null) {

			value = value.replaceAll("", "");

			// Avoid anything between script tags

			Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid anything in a src='...' type of expression

			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

			// Remove any lonesome </script> tag

			scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);

			value = scriptPattern.matcher(value).replaceAll("");

			// Remove any lonesome <script ...> tag

			scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid eval(...) expressions

			scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid expression(...) expressions

			scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid javascript:... expressions

			scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid vbscript:... expressions

			scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);

			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid onload= expressions

			scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE
					| Pattern.MULTILINE
					| Pattern.DOTALL);

			value = scriptPattern.matcher(value).replaceAll("");

		}

		return value;

	}

}
